[OpenAFS] pam_afs or KfM for auto-authentication on OSX

Alexei Kosut akosut@stanford.edu
Sun, 13 Oct 2002 15:08:11 -0700


On Sun, Oct 13, 2002 at 02:39:17PM -0700, Henry B. Hotz wrote:
> Both of the subject methods *should* allow you to auto-authenticate 
> on login on MacOS X.  What's recommended?

Take a look at the openafs-devel and port-darwin list archives at
<https://lists.openafs.org/mailman/listinfo/>.  There's been a lot of
discussion about this issue in the last month or two.  The short
answer is that Mac OS X 10.2 can't use PAM for loginwindow
authentication, so you pretty much have to use the Apple-provided
(KfM-based) Kerberos authentication mechanism.

With Mac OS X 10.1 (and 10.0, I suppose), you can probably get the PAM
loginwindow authenticator (from the Darwin sources) to work, but I'm
not aware of anyone who's done this.  I assume you were asking about
10.2, though.

> AFAICT the pam module isn't built on OSX.  Anyone tried to make it work?

I think David Botsch was able to get the AFS PAM modules compiled and
working for SSH authentication.

> I haven't got it working yet, but the native Kerberos implementation 
> should get me a K4 tgt.  Then I should be able to do the OpenAFS 
> equivalent to afslog to convert that to a token (whatever the 
> equivalent is).  Anyone gotten this to work?

Yes.  You can use aklog (<http://web.mit.edu/openafs/>) to get an AFS
token from KfM credentials, whether the credentials were obtained at
login time or afterwards.

If you want AFS tokens avaiblale at login time (e.g., for home
directories in AFS), that's a little more complex.  Again, the
port-darwin archives have some discussion and information on getting
this to work.

> While I'm at it, I'm curious:  does everyone rely on the guru's who 
> made the package or does anyone actually install OpenAFS on OSX from 
> source?  Make install doesn't put anything in /Library/StartupItems/ 
> like it needs to.

I sometimes install OpenAFS from source, but I've never used make
install.  I usually start with what an installer (either the official
OpenAFS package or a custom local installer) installs and then copy
new files from "make dest" to the right place by hand.

-- 
Alexei Kosut <akosut@cs.stanford.edu> <http://rescomp.stanford.edu/~akosut/>